# GraphQL

[GraphQL ](https://portswigger.net/web-security/graphql/what-is-graphql)is an API query language that is designed to facilitate efficient communication between clients and servers. It enables the user to specify exactly what data they want in the response, helping to avoid the large response objects and multiple calls that can sometimes be seen with REST APIs.

## Detection

### Universal Queries

```graphql
query{__typename}
# Response include the string:
{"data": {"__typename": "query"}}
```

### Common Endpoint

* `/graphql`
* `/api`
* `/api/graphql`
* `/graphql/api`
* `/graphql/graphql`
* Also try appending `/v1` to the path
* GraphQL services will often respond to any non-GraphQL request with a "query not present" or similar error.

### Other

In general GraphQl only accept POST requests that have a content-type of `application/json`. However, some endpoints may accept alternative methods. Try with

* [Universal Query](#universal-queries) using alternative HTTP methods.
* POST requests that use a content-type of `x-www-form-urlencoded`.

## Discovering Schema Information

With PurpSuite:

* Right-click in Repeter and `GraphQL > Set introspection query`&#x20;
* Right-click in Repeter and `GraphQL > Set legacy introspection query`&#x20;
* Right-click in Response and `GraphQL > Save GraphQL queries to site map`

Use can also use  [GraphQL visualizer](http://nathanrandal.com/graphql-visualizer/) for a better view of the scheme.

### Introspection Queries

Introspection is a built-in GraphQL function that enables you to query a server for information about the schema. Introspection helps you to understand how you can interact with a GraphQL API. It can also disclose potentially sensitive data, such as description fields.  It is best practice for introspection to be disabled in production environments, but this advice is not always followed.

```graphql
{"query": "{__schema{queryType{name}}}"}
```

When developers disable introspection, they could use a regex to exclude the `__schema` keyword in queries. You should try characters like spaces, new lines and commas, as they are ignored by GraphQL but not by flawed regex.

ex.  Regex exclude:  `__schema{` \
&#x20;       Bypass:  `__schema\n{`

### Full Introspection Queries

You can get as much information on the underlying schema as possible.\
The example query below returns full details on all queries, mutations, subscriptions, types, and fragments.

```graphql
query IntrospectionQuery {
        __schema {
            queryType {
                name
            }
            mutationType {
                name
            }
            subscriptionType {
                name
            }
            types {
             ...FullType
            }
            directives {
                name
                description
                args {
                    ...InputValue
            }
            onOperation  #Often needs to be deleted to run query
            onFragment   #Often needs to be deleted to run query
            onField      #Often needs to be deleted to run query
            }
        }
    }

    fragment FullType on __Type {
        kind
        name
        description
        fields(includeDeprecated: true) {
            name
            description
            args {
                ...InputValue
            }
            type {
                ...TypeRef
            }
            isDeprecated
            deprecationReason
        }
        inputFields {
            ...InputValue
        }
        interfaces {
            ...TypeRef
        }
        enumValues(includeDeprecated: true) {
            name
            description
            isDeprecated
            deprecationReason
        }
        possibleTypes {
            ...TypeRef
        }
    }

    fragment InputValue on __InputValue {
        name
        description
        type {
            ...TypeRef
        }
        defaultValue
    }

    fragment TypeRef on __Type {
        kind
        name
        ofType {
            kind
            name
            ofType {
                kind
                name
                ofType {
                    kind
                    name
                }
            }
        }
    }
```

### Suggestions

You can sometimes use suggestions to glean information on an API's structure.\
Suggestions are a feature of the Apollo GraphQL platform: ex. `There is no entry for 'productInfo'. Did you mean 'productInformation' instead?`

<table><thead><tr><th width="145"></th><th></th></tr></thead><tbody><tr><td><a href="https://github.com/nikitastupin/clairvoyance">Clairvoyance</a></td><td>Tool that uses suggestions to automatically recover all or part of a GraphQL schema, even when introspection is disabled.</td></tr></tbody></table>

## Attacks

Send some test requests to understand more about how it works.

* [IDOR](/rednote/pentesting-process/web-attacks/idor.md)
* Brute Force with Alias
* [CSRF](/rednote/pentesting-process/web-attacks/csrf.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ivalexev.gitbook.io/rednote/pentesting-process/web-attacks/graphql.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.